java.lang.security.audit.url-rewriting.url-rewriting

Community Favorite
profile photo of semgrepsemgrep
Author
50,751
Download Count*
LGPL Commons Clause
License

URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: url-rewriting
    message: URL rewriting has significant security risks. Since session ID appears
      in the URL, it may be easily seen by third parties.
    metadata:
      cwe:
        - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
      owasp:
        - A01:2021 - Broken Access Control
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    severity: WARNING
    languages:
      - java
    pattern-either:
      - pattern: |
          $X $METHOD(...,HttpServletResponse $RES,...) {
            ...
            $RES.encodeURL(...);
            ...
          }
      - pattern: |
          $X $METHOD(...,HttpServletResponse $RES,...) {
            ...
            $RES.encodeUrl(...);
            ...
          }
      - pattern: |
          $X $METHOD(...,HttpServletResponse $RES,...) {
            ...
            $RES.encodeRedirectURL(...);
            ...
          }
      - pattern: |
          $X $METHOD(...,HttpServletResponse $RES,...) {
            ...
            $RES.encodeRedirectUrl(...);
            ...
          }
      - pattern: |
          $X $METHOD(...) {
            ...
            HttpServletResponse $RES = ...;
            ...
            $RES.encodeURL(...);
            ...
          }
      - pattern: |
          $X $METHOD(...) {
            ...
            HttpServletResponse $RES = ...;
            ...
            $RES.encodeUrl(...);
            ...
          }
      - pattern: |
          $X $METHOD(...) {
            ...
            HttpServletResponse $RES = ...;
            ...
            $RES.encodeRedirectURL(...);
            ...
          }
      - pattern: |-
          $X $METHOD(...) {
            ...
            HttpServletResponse $RES = ...;
            ...
            $RES.encodeRedirectUrl(...);
            ...
          }

Examples

url-rewriting.java

package testcode.cookie;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class UrlRewriting extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        encodeURLRewrite(resp, req.getRequestURI());
    }

    // ruleid: url-rewriting
    private String encodeURLRewrite(HttpServletResponse resp, String url) {
        return resp.encodeURL(url);
    }

    // ruleid: url-rewriting
    public String encodeUrlRewrite(HttpServletResponse resp, String url) {
        return resp.encodeUrl(url); //Deprecated
    }

    // ruleid: url-rewriting
    public String encodeRedirectURLRewrite(HttpServletResponse resp, String url) {
        return resp.encodeRedirectURL(url);
    }

    // ruleid: url-rewriting
    public String encodeRedirectUrlRewrite(HttpServletResponse resp, String url) {
        return resp.encodeRedirectUrl(url); //Deprecated
    }

    // ok: url-rewriting
    public String encodeRedirectURLRewrite(SomeDifferentRequest resp, String url) {
        return resp.encodeURL(url);
    }

    // ok: url-rewriting
    public String encodeRedirectUrlRewrite(HttpServletResponse resp, String url) {
        return resp.getHeader(url);
    }
}